synk issues for Cross-site Scripting (XSS)

[MdMumtajTR]

Hi Team,

While running a vulnerability scan using the Snyk tool, I encountered a Cross-site Scripting (XSS) issue related to unsensitized input in the squizlabs/php_codesniffer/CodeSniffer/CLI.php file. The issue appears at multiple lines, including 472, 608, 621, 630, 657, 668, 680, 707, 730, 754, 879, 890, 940, 948, 1215, and others.

The description of the issue indicates that unsanitized input from an HTTP header flow into an include statement, where it is included dynamically. Allowing unvalidated user input to control file inclusion in PHP can lead to malicious code execution.

Currently, I am using squizlabs/php_codesniffer version 2.9.

Could you please advise on how to resolve this issue? Thank you in advance!
Let me know if you'd like any further adjustments!
File Path: https://github.com/squizlabs/PHP_CodeSniffer/blob/2.9/CodeSniffer/CLI.php

[jrfnl]

1. Do not open issues here. This repo is abandoned and https://github.com/PHPCSStandards/PHP_CodeSniffer is its successor. See The Future of PHP_CodeSniffer #3932.
2. Before you do anything else, please upgrade to the latest release. The last PHPCS 2.9 tag was released in 2018 and the 2.x branch will not receive any new releases anymore. The current version of PHP_CodeSniffer is version 3.13.0.
3. Don't trust tooling for finding security vulnerabilities. Most will hallucinate based on patterns without actual understanding of the code. You should ALWAYS validate any such reported issues. Reporting these kind of hallucinations to maintainers is harmful and wastes a lot of maintainer time.
4. Security vulnerabilities (when not hallucinated) should be disclosed responsibly, i.e. in private, not in a public discussion like this. Follow the Security policy of an organisation to report issues.
5. When validating a security issue, make sure to come up with a valid proof of concept of how something can be abused and include this POC in the report.